Search criteria
8 vulnerabilities found for WS Form Pro by WS Form
CVE-2024-13509 (GCVE-0-2024-13509)
Vulnerability from nvd – Published: 2025-01-28 06:38 – Updated: 2026-04-08 17:06
VLAI
Title
WS Form LITE and PRO <= 1.10.13 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.10.13
(semver)
|
|
| WS Form | WS Form Pro |
Affected:
0 , ≤ 1.10.13
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T14:54:11.346546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T15:14:40.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:53.872Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/910d9b31-b63a-427e-830b-a4c6a7e77ade?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3226595/ws-form"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3225862/ws-form"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-20T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE and PRO \u003c= 1.10.13 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13509",
"datePublished": "2025-01-28T06:38:42.309Z",
"dateReserved": "2025-01-17T14:13:37.548Z",
"dateUpdated": "2026-04-08T17:06:53.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5424 (GCVE-0-2023-5424)
Vulnerability from nvd – Published: 2024-06-07 09:33 – Updated: 2026-04-08 16:46
VLAI
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
Summary
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.9.217
(semver)
|
|
| WS Form | WS Form Pro |
Affected:
0 , ≤ 1.9.217
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T12:19:36.481560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T12:19:52.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:37.402Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE \u003c= 1.9.217 - Unauthenticated CSV Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5424",
"datePublished": "2024-06-07T09:33:35.882Z",
"dateReserved": "2023-10-05T12:15:52.704Z",
"dateUpdated": "2026-04-08T16:46:37.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23988 (GCVE-0-2022-23988)
Vulnerability from nvd – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI
Title
WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/9d5738f9-9a2e-48… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|
| WS Form | WS Form Pro |
Affected:
1.8.176 , < 1.8.176
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:03.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23988",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23988",
"datePublished": "2022-02-28T09:07:03.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23987 (GCVE-0-2022-23987)
Vulnerability from nvd – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI
Title
WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/1697351b-c201-4e… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|
| WS Form | WS Form Pro |
Affected:
1.8.176 , < 1.8.176
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:01.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23987",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23987",
"datePublished": "2022-02-28T09:07:01.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13509 (GCVE-0-2024-13509)
Vulnerability from cvelistv5 – Published: 2025-01-28 06:38 – Updated: 2026-04-08 17:06
VLAI
Title
WS Form LITE and PRO <= 1.10.13 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.10.13
(semver)
|
|
| WS Form | WS Form Pro |
Affected:
0 , ≤ 1.10.13
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-28T14:54:11.346546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-28T15:14:40.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.10.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:53.872Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/910d9b31-b63a-427e-830b-a4c6a7e77ade?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3226595/ws-form"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3225862/ws-form"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-20T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE and PRO \u003c= 1.10.13 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13509",
"datePublished": "2025-01-28T06:38:42.309Z",
"dateReserved": "2025-01-17T14:13:37.548Z",
"dateUpdated": "2026-04-08T17:06:53.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-5424 (GCVE-0-2023-5424)
Vulnerability from cvelistv5 – Published: 2024-06-07 09:33 – Updated: 2026-04-08 16:46
VLAI
Title
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
Summary
The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| westguard | WS Form LITE – Drag & Drop Contact Form Builder |
Affected:
0 , ≤ 1.9.217
(semver)
|
|
| WS Form | WS Form Pro |
Affected:
0 , ≤ 1.9.217
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T12:19:36.481560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T12:19:52.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder",
"vendor": "westguard",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThanOrEqual": "1.9.217",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Duc Manh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:46:37.402Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38ccaa81-77ec-46f2-9bec-d74fa2e093f3?source=cve"
},
{
"url": "https://wsform.com/changelog/?utm_source=wp_plugins\u0026utm_medium=readme"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3098265%40ws-form\u0026new=3098265%40ws-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-06T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WS Form LITE \u003c= 1.9.217 - Unauthenticated CSV Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-5424",
"datePublished": "2024-06-07T09:33:35.882Z",
"dateReserved": "2023-10-05T12:15:52.704Z",
"dateUpdated": "2026-04-08T16:46:37.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23988 (GCVE-0-2022-23988)
Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI
Title
WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/9d5738f9-9a2e-48… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|
| WS Form | WS Form Pro |
Affected:
1.8.176 , < 1.8.176
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:03.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23988",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Unauthenticated Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/9d5738f9-9a2e-4878-8a03-745894420bf6"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23988",
"datePublished": "2022-02-28T09:07:03.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23987 (GCVE-0-2022-23987)
Vulnerability from cvelistv5 – Published: 2022-02-28 09:07 – Updated: 2024-08-03 03:59
VLAI
Title
WS Form < 1.8.176 - Admin+ Stored Cross-Site Scripting
Summary
The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/1697351b-c201-4e… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WS Form | WS Form LITE – Drag & Drop Contact Form Builder for WordPress |
Affected:
1.8.176 , < 1.8.176
(custom)
|
|
| WS Form | WS Form Pro |
Affected:
1.8.176 , < 1.8.176
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:59:23.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
},
{
"product": "WS Form Pro",
"vendor": "WS Form",
"versions": [
{
"lessThan": "1.8.176",
"status": "affected",
"version": "1.8.176",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-28T09:07:01.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-23987",
"STATE": "PUBLIC",
"TITLE": "WS Form \u003c 1.8.176 - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WS Form LITE \u2013 Drag \u0026 Drop Contact Form Builder for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
},
{
"product_name": "WS Form Pro",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.8.176",
"version_value": "1.8.176"
}
]
}
}
]
},
"vendor_name": "WS Form"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape their Form Name, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1697351b-c201-4e85-891e-94fdccbdfb55"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-23987",
"datePublished": "2022-02-28T09:07:01.000Z",
"dateReserved": "2022-01-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:59:23.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}